The report, sponsored by Hewlett-Packard and Microsoft, is based on a survey of 285 cybersecurity professionals working in 18 industries designated as critical infrastructure by the Department of Homeland Security.

Only a small subset of the critical infrastructure organizations surveyed employed cyber supply chain security best practices – many of these firms face an increased risk of a cyber supply chain attack that could impact business operations and service delivery to the public, the report noted.

“Most of the critical infrastructure organizations surveyed are not doing adequate security due diligence on the IT vendors that provide them with products and services”, said Jon Oltsik, ESG principal analyst and author of the report. “They haven’t instituted secure software development lifecycles across their enterprises and they don’t have a set of security requirements for third-party business partners with whom they share IT systems. These weaknesses create a real vulnerability and need to be addressed as soon as possible.”

The survey found that 68% of critical infrastructure organizations have experienced at least one security breach in the past 24 months, and 13% have suffered more than three security breaches in the past 24 months.

In addition, 20% of respondents working at critical infrastructure organizations rated the effectiveness of their organization’s security policies, procedures, and technology safeguards as either “fair” or “poor”. And 71% predicted that the security threat landscape would grow worse in the next 24–36 months.

“Clients must feel confident in the security of the products they deploy within their data centers”, said Chris Whitener, chief security strategist at HP. “This report demonstrates a strong client desire for secure processes throughout the supply chain, ensuring the integrity of the IT products that are developed.”

Survey respondents were also asked about the cybersecurity role of the US federal government. A full 71% of respondents said that the federal government should be more active with cybersecurity strategies and defenses – 31% believe that the government should be significantly more active. Respondents suggested that the federal government should do a better job of sharing cybersecurity information and providing incentives like tax credits to organizations that invest in cybersecurity.